Man in row with bank over hacked phone

"System update in progress. Please wait," read the prompt on Mr Philip Loh's Samsung Galaxy Note 4 smartphone last September. Thinking nothing of it, he went to bed.

Meanwhile, hackers got hold of his credit card details. Six flight tickets were purchased in Eastern Europe - from countries including Russia, Estonia and Latvia. The total price was $12,327.

Now the 47-year-old first aid trainer is entangled in a dispute with United Overseas Bank (UOB) as he tries to get the charges waived.

The bank, which insists its security system was never compromised, is asking him to pay $5,000 of the $12,327, having reduced the amount out of goodwill, or it would take legal action, said Mr Loh.

"How can I pay for something I didn't purchase? I've never even visited those countries before," he told The Straits Times.

When he woke up on Sept 30 last year, his phone was still "updating". He forcibly rebooted it by removing the battery, only to find SMS alerts from UOB on the purchases, as well as the one-time passwords (OTPs) used to authenticate them.

Shocked, he cancelled his credit card before going to the police and Consumers Association of Singapore (Case) for help.

Man in row with bank over hacked phone

  • "System update in progress. Please wait," read the prompt on Mr Philip Loh's Samsung Galaxy Note 4 smartphone last September. Thinking nothing of it, he went to bed.
  • Meanwhile, hackers got hold of his credit card details. Six flight tickets were purchased in Eastern Europe - from countries including Russia, Estonia and Latvia. The total price was $12,327.
  • Now the 47-year-old first aid trainer is entangled in a dispute with United Overseas Bank (UOB) as he tries to get the charges waived.
  • The bank, which insists its security system was never compromised, is asking him to pay $5,000 of the $12,327, having reduced the amount out of goodwill, or it would take legal action, said Mr Loh.
  • Mr Loh appears to be one of the victims of a malicious programme that the Association of Banks in Singapore (ABS) warned the public about last month.

Mr Loh appears to be one of the victims of a malicious programme that the Association of Banks in Singapore (ABS) warned the public about last month. He insists he has entered his credit card details on his phone only twice or thrice in the past year - to buy movie tickets online.

He was told by the bank that one of the reasons the payments could not be waived was that they were made under the "3D secure payment system" - which authenticates online transactions by sending an OTP to the customer's cellphone. The Straits Times understands that because the hackers obtained the OTPs, the payment system was not compromised.

UOB said: "We review each customer dispute case thoroughly and take into account a number of contributing or mitigating factors. These include whether a customer had provided his credit card information on a phishing site or if transactions were authorised with an SMS OTP. In this present case, the bank's security measures were not compromised."

An ABS spokesman said that in some reported cases, consumers provided their credit card information on websites without checking if they were legitimate. "These allowed hackers to 'take control' of their smartphones to perform fraudulent online transactions."

Case executive director Seah Seng Choon said banks need to keep in mind shifting security vulnerabilities. "If a third party can hack into the system and perform transactions in this manner, it shows that the system needs to be reviewed to protect consumer interests."

Information technology lawyers said crooks are starting to get the better of two-factor authentication systems. "The question is: Is it fair for consumers to bear the liability when it is the system that has been compromised by hackers?" said lawyer Bryan Tan.

7 ways to protect yourself against credit card fraud

  • Whenever you receive a new credit card in the mail, don't just let it sit for days along with the rest of your bills and/or junk mail. Take it out, activate it (online or call, whatever is easier for you) and sign the back.
  • The last thing you want is to lose track of it because in a pile with the rest of your "junk" mail - because we all know where junk mail ends up. And the last thing you want is for your credit card to end up in the hands of someone else.
  • If you're tired of receiving your mailed statements, most banks now offer e-statements, which are easier to manage - just make sure you're practicing good online security habits if you are taking the electronic storage route.
  • Whether you're using your credit card at a restaurant, retail establishment, club or bar, make sure you're following your card wherever it goes.
  • Because you want to make sure that your card is being swiped at the establishment's cash register and isn't disappearing into someone else's hands (or being used to make purchases while you're not looking).
  • Checking your receipts against your statement is especially useful if you make plenty of online purchases, as you might find price discrepancies between what you agreed to pay online and what's being shown on your statement.
  • Banks, retailers and government organisations will NEVER call or email you asking for your personal information - especially your credit card number!
  • Seriously, there's no "what if" when it comes to this one. No legitimate institution will ever ask for your credit card over the phone or in email, ever. So don't do it, not matter how legitimate the call sounds or the email looks.
  • Your bank should be near or at the top of your list of people and organisations to inform about your new address. That's because the last thing you want is for your credit card and bank statements to be "lost" in the mail or mailed to your old address where they can end up in anyone's hands.
  • Many credit cards offer "alarms" that send you an SMS or email whenever a charge over a certain amount is made. Some credit cards even offer alerts that send you an SMS/email alert for every charge made on your card.

    That's great because it gives you time to call up the credit card issuer and dispute any "funny" charges made to your card.


This article was first published on Jan 27, 2016.
Get a copy of The Straits Times or go to straitstimes.com for more stories.

SERVICES